diff mbox series

[5.10,042/103] net/rds: Avoid potential use after free in rds_send_remove_from_sock

Message ID 20210419130529.251281725@linuxfoundation.org
State Superseded
Headers show
Series None | expand

Commit Message

Greg Kroah-Hartman April 19, 2021, 1:05 p.m. UTC 
From: Aditya Pakki <pakki001@umn.edu>

[ Upstream commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05 ]

In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
is freed and later under spinlock, causing potential use-after-free.
Set the free pointer to NULL to avoid undefined behavior.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rds/message.c | 1 +
 net/rds/send.c    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

Comments

Pavel Machek April 19, 2021, 9:29 p.m. UTC | #1 
Hi!

> [ Upstream commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05 ]
> 
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.

This patch is crazy. Take a look at Message-ID:
<20210419084953.GA28564@amd>. Or just look at the patch :-).

Best regards,
								Pavel
> +++ b/net/rds/message.c
> @@ -180,6 +180,7 @@ void rds_message_put(struct rds_message *rm)
>  		rds_message_purge(rm);
>  
>  		kfree(rm);
> +		rm = NULL;
>  	}
>  }
>  EXPORT_SYMBOL_GPL(rds_message_put);
> diff --git a/net/rds/send.c b/net/rds/send.c
> index 985d0b7713ac..fe5264b9d4b3 100644
> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
>  unlock_and_drop:
>  		spin_unlock_irqrestore(&rm->m_rs_lock, flags);
>  		rds_message_put(rm);
> -		if (was_on_sock)
> +		if (was_on_sock && rm)
>  			rds_message_put(rm);
>  	}
>
Greg Kroah-Hartman April 20, 2021, 7:13 a.m. UTC | #2 
On Mon, Apr 19, 2021 at 03:05:53PM +0200, Greg Kroah-Hartman wrote:
> From: Aditya Pakki <pakki001@umn.edu>

> 

> [ Upstream commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05 ]

> 

> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource

> is freed and later under spinlock, causing potential use-after-free.

> Set the free pointer to NULL to avoid undefined behavior.

> 

> Signed-off-by: Aditya Pakki <pakki001@umn.edu>

> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

> Signed-off-by: David S. Miller <davem@davemloft.net>

> Signed-off-by: Sasha Levin <sashal@kernel.org>

> ---

>  net/rds/message.c | 1 +

>  net/rds/send.c    | 2 +-

>  2 files changed, 2 insertions(+), 1 deletion(-)

> 

> diff --git a/net/rds/message.c b/net/rds/message.c

> index 799034e0f513..4fc66ff0f1ec 100644

> --- a/net/rds/message.c

> +++ b/net/rds/message.c

> @@ -180,6 +180,7 @@ void rds_message_put(struct rds_message *rm)

>  		rds_message_purge(rm);

>  

>  		kfree(rm);

> +		rm = NULL;

>  	}

>  }

>  EXPORT_SYMBOL_GPL(rds_message_put);

> diff --git a/net/rds/send.c b/net/rds/send.c

> index 985d0b7713ac..fe5264b9d4b3 100644

> --- a/net/rds/send.c

> +++ b/net/rds/send.c

> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)

>  unlock_and_drop:

>  		spin_unlock_irqrestore(&rm->m_rs_lock, flags);

>  		rds_message_put(rm);

> -		if (was_on_sock)

> +		if (was_on_sock && rm)

>  			rds_message_put(rm);

>  	}

>  

> -- 

> 2.30.2

> 

> 

> 


Ah crap, I will go drop this stuff.

I also will strongly recommend that all maintainers blacklist umn.edu
patches at this point in time, as it is obvious that a professor there
is operating a sociological experiment on Linux kernel maintainers and
is wasting our time.

This is not ok.

greg k-h
Greg Kroah-Hartman April 20, 2021, 7:21 a.m. UTC | #3 
On Mon, Apr 19, 2021 at 11:29:30PM +0200, Pavel Machek wrote:
> Hi!

> 

> > [ Upstream commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05 ]

> > 

> > In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource

> > is freed and later under spinlock, causing potential use-after-free.

> > Set the free pointer to NULL to avoid undefined behavior.

> 

> This patch is crazy. Take a look at Message-ID:

> <20210419084953.GA28564@amd>. Or just look at the patch :-).


You are correct, everything submitted from this author and domain
recently was done as a "research project" to see if they could mess with
kernel maintainers and slip in pointless changes to the kernel.

Not acceptable at all...

greg k-h
diff mbox series

Patch

diff --git a/net/rds/message.c b/net/rds/message.c
index 799034e0f513..4fc66ff0f1ec 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -180,6 +180,7 @@  void rds_message_put(struct rds_message *rm)
 		rds_message_purge(rm);
 
 		kfree(rm);
+		rm = NULL;
 	}
 }
 EXPORT_SYMBOL_GPL(rds_message_put);
diff --git a/net/rds/send.c b/net/rds/send.c
index 985d0b7713ac..fe5264b9d4b3 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -665,7 +665,7 @@  static void rds_send_remove_from_sock(struct list_head *messages, int status)
 unlock_and_drop:
 		spin_unlock_irqrestore(&rm->m_rs_lock, flags);
 		rds_message_put(rm);
-		if (was_on_sock)
+		if (was_on_sock && rm)
 			rds_message_put(rm);
 	}